Drones

Uses Of Unmanned Aerial Vehicles (UAVs) In Crime Scene Investigations

by Chirath De Alwis and Chamalka De Silva

Recent advancements in technology have helped many people to have a better quality of life. Unmanned Aerial Vehicles (UAVs), also known as ‘drones’, are one such technological advancement that can help society to simplify day-to-day activities. These drones are now widely used in many industries such as agriculture, photography, transportation. But this same technology can also be used to conduct unethical activities.

Capturing privacy related content, illegal interception of other drones, and military use of drones in bombings are some common scenarios of unethical activities that can be done using drones. Investigating each scenario requires different approaches, as the availability of evidence can vary. Therefore, digital forensics investigators need to be able to examine drones in crime scene investigations. This article focuses on the technology behind drones and how drones can be useful in crime scene investigations. This helps investigators to simplify their digital forensics investigations when looking at drones.

Introduction

An unmanned aerial vehicle (UAV) (or un-crewed aerial vehicle, commonly known as a drone) is an aircraft without a human pilot on board and is a type of unmanned vehicle. UAVs are a component of an unmanned aircraft system (UAS), which includes a UAV, a ground-based controller, and a system of communications between the two. The flight of UAVs may operate with various degrees of autonomy: either under remote control by a human operator or autonomously by onboard computers.

Classification of UAVs

UAVs typically fall into one of six functional categories[1]:

  • Target and decoy
    • providing ground and aerial gunnery of a target that simulates an enemy aircraft or missile
  • Reconnaissance
    • providing battlefield intelligence
  • Combat
    • providing attack capability for high-risk missions 
  • Logistics
    • delivering cargo
  • Research and development
    • improving UAV technologies
  • Civil and commercial UAVs
    • agriculture, aerial photography, data collection

Technologies Used in UAVs

This section describes the latest technologies used in UAVs which will have a forensic value in crime scene investigations. UAVs have many other technologies, but these are the ones with the most forensic value.   

How Drones Work

Drones are made up of lightweight and durable materials, such as fiber and plastic. In order to operate a drone, users require an aircraft (also known as the drone), a controller unit, signal extenders, a battery, and a mobile device. The type of sensors and camera equipment can vary based on the type of drone and its purpose. 

A drone controller unit is required to connect to a mobile device that has an application which helps to view the path and navigate. Navigation can be controlled using the controller. The signal extender helps the user to extend the coverage of the drone signal, which helps it to fly for longer distances. Once the drone is ready for take-off, the user needs to power on the drone and connect to the controller using the mobile device. All the flight paths, camera view, battery status, and weather information are displayed in the mobile device attached to the controller. Modern drones have their own applications that are supported on both Android and iOS platforms. Flight records are stored inside the application, and users can upload the flight logs into the drone manufacturer’s cloud if required [2].  

Technology behind UAVs

Radar Positioning & Return Home

The latest drones have dual Global Navigation Satellite Systems (GNSS), such as GPS and GLONASS [3]. Modern drones can fly in both modes. DJI drones have called modes ‘P-Mode’ (this mode uses both GPS & GLONASS) and ‘ATTI mode’ (this mode does not use GPS & GLONASS, and the user can control the drone on their own). 

When the drone is first switched on, it searches and detects GNSS satellites, and saves the GPS coordinates as “Home Point”. High-end GNSS systems use Satellite Constellation technology [3]. Basically, a satellite constellation is a group of satellites working together to give coordinated coverage, and synchronized so that they overlap well in terms of coverage [3]. 

Most of the latest drones have three types of ‘Return to Home’ drone technology, as follows [3];

  • Pilot-initiated return to home by pressing button on Remote Controller or in an app
  • A low battery level, where the UAV will fly automatically back to the home point
  • Loss of contact between the UAV and Remote Controller, with the UAV flying back automatically to its home point

Obstacle Detection and Collision Avoidance Technology

High-tech drones use four cameras and several sensors (the exact number depends on the type of drone) to detect obstacles in advance and avoid collisions. These sensors continuously scan their surroundings and alert the controller to avoid collisions. Some of the latest drones, such as Mavic Air, use this technology when using the ‘automatic return to home’ function. These systems fuse one or more of the following sensors to sense and avoid potential collisions[3]:

  • vision sensors
  • ultrasonic
  • infrared
  • lidar
  • time of flight (ToF)
  • monocular vision

No-Fly Zone Drone Technology

There are some high-security areas that have restricted flying drones (e.g. airport runways). These restrictions are put in place by governments and the Federal Aviation Authority (FAA) to restrict flying in these areas, promptin DJI and other manufacturers to introduce a “No-Fly Zone” feature [3]. Once the drone is flying, using GPS it automatically detects these restricted areas and stops the drone when it tries to enter these restricted areas. If a user tries to launch a drone inside a no-fly zone the drone motor will not operate, and user will not be able to fly within the restricted area.

DJI No Fly Zone in USA [4]

GPS ‘Ready To Fly’ Mode Drone Technology

When the compass is calibrated, it then seeks the location of the GPS satellites. When more than six are found, it allows the drone to fly in “Ready to Fly” Mode [3].

FPV Live Video Transmission Drone Technology

FPV means “First Person View”. A video camera is mounted on the unmanned aerial vehicle and this camera broadcasts the live video to the pilot on the ground [3].  

FPV Over 4G / LTE Networks

In 2016 a new live video option, which transmits over the 4G / LTE network and provides an unlimited range and low latency video, was announced [3]. This is the Sky Drone FPV 2 and comprises a camera module, a data module and a 4G / LTE modem [3].

Range Extender UAV Technology

This is used to extend the range of communication between the smartphone or tablet and the drone in an open, unobstructed area [3]. The transmission distance can reach up to 700 meters. Each range extender has a unique MAC address and network name (SSID) [3].

Drone Range Extender [5]

Operating Systems in Drone Technology

Most unmanned aircraft use Linux, and a few use Microsoft Windows. The Linux Foundation launched a project in 2014 called the Dronecode Project: an open source, collaborative project which brings together existing and future open source unmanned aerial vehicle projects under a nonprofit structure governed by The Linux Foundation [3]. 

Data available in UAVs

In commercial (non-military) drones, the primary available evidence would be GPS locations, media files and flight logs. The locations of these files and extraction is described in another article [6].

It is important to understand that the flight logs recorded in the inside of the drone are not accessible to the user by default. To access these flight log files stored in the drone, the user needs to open the app (DJI Assistant) inside the computer and click “flight data”. This will mount the memory inside the drone, which contains the flight logs in .DAT file format. The file name will look like this “FLY807.DAT”. This can also be viewed using the online tool Airdata.com [7]. 

How Can UAVs Support Digital Forensic Investigations?

There are many cases were drones can be used to commit crimes or become a part of a crime scene. Investigators should understand the scenario and analysis of the evidence should be done based on this. This section describes the most common scenarios, what information is available, and most importantly, how to start the investigation. 

Illegal/Unauthorized Data Capturing

Scenario:

The primary use of drones is capturing videos. Some users choose to capture illegal videos of unauthorized content; for example, people can use drones to take videos of what their neighbors are doing. People sometimes also try to get into unauthorized territories to capture footage. A great example of this are attempts to capture activities in Area 51 [8]. Sometimes people use drones for information-gathering and, in this case, rather than capturing the footage they can view it live. 

Potential Evidence:

Investigating crimes like these, the primary evidence would be images or videos captured by the drone. Analyzing these videos or images should depict what the controller has captured. If the controller did not capture the footage but watched the content in real time, we can analyze the flight logs and verify whether the drone was flying around the suspected area or not.  Since the flight logs contains flight maps, the controller cannot deny that the drone flew in the suspected area. 

Session Hijacking With Drones

Scenario:

The remote control unit is connected to the drone using a wireless communication medium; depending on the model of the drone, the technology can vary. In earlier stages, drones like Phantom 3 used their own Wi-Fi connections to connect to their controllers. Some of these communication mediums and technologies can have multiple vulnerabilities that allow attackers to interfere with the signals. Therefore, it is possible to conduct session hijacking and take the ownership, or full control, of the drone. Iran has recently taken down a US military drone [9], as a great example of this. Recently researchers have found a camera that can detect and take down drones [10]. These techniques are most commonly used in the military.

Hacking Drone [11]

Potential Evidence:

Once a drone has been taken down or intercepted, the only evidence we will have to investigate are the flight logs recorded in the mobile device (from the controller). Analyzing these should help investigators to understand where the interception happened. When analyzing these flight log notifications, it should be possible to identify the interference and disconnection. If the drone was fully taken down or fully intercepted, then the “Find my drone” option should not detect the drone, because the controller cannot identify the drone from its GPS signals. 

Stolen Drones 

Scenario:

Sometimes drones can fall into a no man’s land due to a crash with an obstacle. In these cases, it is possible that someone might steal the drone. 

Potential Evidence:

This is a bit more straightforward than the previous scenarios. In this case, we can try to connect to the drone using GPS signals. The user can use the “Find my drone” option to navigate to the drone [12]. There are several cases reported in which users have identified their drones using this technique. When locating a drone using this option, if the drone appears to move, this could indicate that someone is taking the drone. 

Suicide Drones 

Scenario:

These drones can be used to crash aircrafts. Even though drones are flying at a limited speed, due to the high speed of commercial aircrafts, crashing a drone with a commercial aircraft can make a huge impact on the plane. Houthi rebels have claimed responsibility for a drone attack on the world’s largest oil processing facility in Saudi Arabia in the latest example of this [13].

Potential Evidence:

When a crash occurs, the potential evidence available is the crashed drone. Even though the drone has crashed, sometimes it is still possible to get the memory from the drone. But this is totally dependent on the impact to the drone. If the drone memory chip is available, investigators can analyze this and get the flight records from the drone memory, which will help in identifying where the drone’s journey started and its flight path up to the collision point. 

Drone Crash

Scenario:

A drone crash can happen in many ways. Internal technical failures and interaction with an obstacle are two common scenarios. The “Second MoD Airbus Zephyr” spy drone crash on an Aussie test flight in 9th Oct 2019 is a recent example [14]. 

Potential Evidence:

When a drone crashes, the potential evidence would be the drone memory or the flight log in the controller device. But most modern aircrafts can avoid obstacles, and this can be detected from the notifications. When the drone avoids an obstacle, it sends a notification to the controller device. The controller unit also receives notifications when a technical issue has occurred. This notification information is available in the flight logs. Analyzing these messages can show what caused the crash. 

Once a drone has crashed, the most important task is to identify the location of the drone. Depending on the wind speed, altitude, ground condition, and various other parameters, the crash point can vary. Recent research has been conducting into mathematically locating ocean-drowned aircraft [15]. This same formula can be modified to identify crash points for drones. The required information for this calculation can be found from the flight log located in the controller device.

UAV Anti-Forensics 

When criminals commit crimes they always try to hide their digital footprints to evade detection. Often criminals use anti-forensic techniques to mislead forensic investigators. As a forensic investigator, having an understanding of these helps us not to come to false conclusions during the investigation. This section covers some key anti-forensic techniques.

Altering Timestamps

Timestamp is a vital piece of evidence when conducting a forensic investigation on digital devices. Timestamp information helps to identify what has happened and when it happened. These timestamps also help in correlating events. Therefore, altering the timestamp is useful for criminals who want to mislead investigations. Recent research has revealed that it is possible to manipulate the timestamp of recorded media files by altering the system time in the Android OS before powering on the UAV [16]. Afterwards, all of the files created by the camera show the modified timestamp [16]. To investigate whether the timestamp has been tampered with or not, it is required to use the DJI vision app or look into the camera log. 

Blocking GPS Signals

Since GPS plays a crucial part when it comes to investigations, most attackers try to manipulate GPS data. Changing GPS data in media files does not limit the investigation of GPS records, though, since GPS data is available via the in-flight records as well. Therefore, the main possibility of manipulating GPS data is through restricting GPS signals. Recent research has attempted to disable the GPS module from drones [16], but the drones were unable to take off. In a follow-up piece of research, the researchers covered the top of the drone by attaching tin foil directly over the GPS receiver [16]. Since there was then no signal coming into the drone, the drone camera did not record any timestamps in the media files. The home point was also not recorded in the drone [16]. Since this helps to block the GPS signals, it also means that users can fly the drone in restricted areas without any issues. 

References

  1. Medium. (2016). UAV Types, Classifications and Purposes. [online] Available at: https://medium.com/@UAVLance/uav-types-classifications-and-purposes-70651867194d [Accessed 6 Oct. 2019].
  2. De Alwis, C. (2019). Crime Scene Investigation of GPS Data in Unmanned Aerial Vehicles (UAVs). [online] Forensic Focus – Articles. Available at: https://articles.forensicfocus.com/2019/10/03/crime-scene-investigation-of-gps-data-in-unmanned-aerial-vehicles-uavs/ [Accessed 8 Oct. 2019].
  3. Corrigan, F. (2019). How Do Drones Work And What Is Drone Technology. [online] DroneZon. Available at: https://www.dronezon.com/learn-about-drones-quadcopters/what-is-drone-technology-or-how-does-drone-technology-work/ [Accessed 8 Oct. 2019].
  4. DJI Official. (2019). DJI – The World Leader in Camera Drones/Quadcopters for Aerial Photography. [online] Available at: https://www.dji.com/flysafe/geo-map [Accessed 4 Oct. 2019].
  5. Amazon.com. (2019). Ultimaxx Copper Parabolic Antenna Signal Range Booster for DJI Phantom 4, P4 pro, P4 Advanced, Phantom 3 Pro, Advanced and 4K Inspire 1 Controller. [online] Available at: https://www.amazon.com/Ultimaxx-Parabolic-Antenna-Advanced-Controller/dp/B0794GSQB7/ref=sr_1_11?keywords=drone+range+extender&qid=1571113640&sr=8-11 [Accessed 9 Oct. 2019].
  6. De Alwis, C. (2019). Crime Scene Investigation of GPS Data in Unmanned Aerial Vehicles (UAVs). [online] Forensic Focus – Articles. Available at: https://articles.forensicfocus.com/2019/10/03/crime-scene-investigation-of-gps-data-in-unmanned-aerial-vehicles-uavs/ [Accessed 8 Oct. 2019].
  7. Airdata.com. (2019). Drone Data Management and Flight Analysis | Airdata UAV. [online] Available at: https://airdata.com/ [Accessed 11 Oct. 2019].
  8. Ronson, J. (2016). This Guy Sent a Drone to Spy on Area 51. [online] Inverse. Available at: https://www.inverse.com/article/12415-this-could-be-the-last-drone-footage-of-area-51-you-ll-ever-see [Accessed 4 Oct. 2019].
  9. Berlinger, J. and Starr, B. (2019). Iran shoots down US drone aircraft. [online] CNN. Available at: https://edition.cnn.com/2019/06/20/middleeast/iran-drone-claim-hnk-intl/index.html [Accessed 6 Oct. 2019].
  10. CNBC. (2017). This camera is built to detect and take down drones. [online] Available at: https://www.cnbc.com/video/2017/10/12/this-camera-is-built-to-detect-and-take-down-drones.html [Accessed 9 Oct. 2019].
  11. Khandelwal, S. (2016). Hacker Hijacks a Police Drone from 2 Km Away with $40 Kit. [online] The Hacker News. Available at: https://thehackernews.com/2016/04/hacking-drone.html [Accessed 9 Oct. 2019].
  12. F, F. (2019). How to use Find My Drone. [online] Forum.dji.com. Available at: https://forum.dji.com/thread-121403-1-1.html [Accessed 9 Oct. 2019].
  13. the Guardian. (2019). Major Saudi Arabia oil facilities hit by Houthi drone strikes. [online] Available at: https://www.theguardian.com/world/2019/sep/14/major-saudi-arabia-oil-facilities-hit-by-drone-strikes [Accessed 11 Oct. 2019].
  14. Corfield, G. (2019). Second MoD Airbus Zephyr spy drone crashes on Aussie test flight. [online] Theregister.co.uk. Available at: https://www.theregister.co.uk/2019/10/09/airbus_zephyr_drone_second_crash_australia/ [Accessed 11 Oct. 2019].
  15. Sites.math.washington.edu. (2015). Lost and Found: Mathematically Locating Ocean Downed Aircraft. [online] Available at: https://sites.math.washington.edu/~morrow/mcm/mcm15/38724paper.pdf [Accessed 8 Oct. 2019].
  16. Maarse, M. and van Ginkel, J. (2016). Digital forensics on a DJI Phantom 2 Vision+ UAV. [online] Os3.nl. Available at: https://www.os3.nl/_media/2015-2016/courses/ccf/ccf_mike_loek.pdf [Accessed 8 Oct. 2019].

About The Authors

Chirath De Alwis is an experienced information security professional with more than five years’ experience in the Information Security domain. He holds a BEng (Hons), a PGDip, and eight professional certifications in cyber security, and is also reading for his MSc specializing in Cyber Security. Currently, Chirath is involved in vulnerability management, threat intelligence, incident handling and digital forensics activities in Sri Lankan cyberspace. You can contact him on chirathdealwis@gmail.com.

Chamalka De Silva is an information security enthusiastic student currently studying for a BSc (Hons) Ethical Hacking and Network Security degree at Coventry University (UK). You can contact him on chamalkamds@gmail.com

About Scar de Courcier

Scar de Courcier is Senior Editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,271 other followers

%d bloggers like this: